AndersAu Skrevet 23. mai 2008 Rapporter Del Skrevet 23. mai 2008 (endret) I det siste har PCen min blitt treg, tok en scan med hijackthis, og her er loggen: Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:58:00, on 23.05.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Norman\Npm\bin\ELOGSVC.EXE C:\Norman\Npm\Bin\Zanda.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\AGRSMMSG.exe C:\Programfiler\Apoint2K\Apoint.exe C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE C:\Programfiler\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\WINDOWS\TPPALDR.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe C:\Program Files\Sqof\Rezedw.exe C:\Programfiler\Apoint2K\Apntex.exe C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe C:\Norman\Npm\bin\ZLH.EXE C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\DAEMON Tools\daemon.exe C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Programfiler\Symantec\Norton Ghost 2003\GhostStartService.exe C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\Norman\Npm\bin\NJEEVES.EXE C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\System32\alg.exe C:\Norman\Nvc\BIN\NIP.EXE C:\Norman\Nvc\bin\nvcoas.exe C:\Norman\Nvc\bin\cclaw.exe C:\WINDOWS\system32\WISPTIS.EXE C:\WINDOWS\system32\wuauclt.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://startsiden.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger R3 - Default URLSearchHook is missing O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~2.DLL (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll (file missing) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Programfiler\SideFind\sfbho.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar2.dll O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Programfiler\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programfiler\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE O4 - HKLM\..\Run: [telenor] C:\Programfiler\FriSurf\sad.exe O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Programfiler\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe O4 - HKLM\..\Run: [Lejbk] C:\Program Files\Sqof\Rezedw.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-21-1411074200-1179790526-1540833222-1916\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-790525478-1644491937-682003330-1565\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Programfiler\SideFind\sidefind.dll (file missing) O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.start.no O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...be1e10940b1a7ee 4d6b88713ffc07adc36a6c198daa84af66cad27b7bddb:0bcd3b08a0018c359992be6d71d48cd1 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Programfiler\AutoCAD 2002\AcDcToday.ocx O16 - DPF: {AC473116-C745-4470-B288-DD9B9CF291DA} (eCStartX.eCStartClass) - http://portal/components/eCStartX.CAB O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Programfiler\AutoCAD 2002\InstBanr.ocx O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Programfiler\AutoCAD 2002\InstFred.ocx O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - http://xbs.sea.mtree.com/mt/dialers/fc/UniDist.CAB O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Programfiler\AutoCAD 2002\AcPreview.ocx O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ntvgs.no O17 - HKLM\Software\..\Telephony: DomainName = ntvgs.no O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ntvgs.no O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE O23 - Service: GhostStartService - Symantec Corporation - C:\Programfiler\Symantec\Norton Ghost 2003\GhostStartService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe -- End of file - 9558 bytes Endret 23. mai 2008 av AndersAu Lenke til kommentar
norbat Skrevet 23. mai 2008 Rapporter Del Skrevet 23. mai 2008 Kjør gjennom langversjonen i følgende post: https://www.diskusjon.no/index.php?showtopic=691246 Loggene det spørres etter, poster du her i din egen tråd. Lenke til kommentar
AndersAu Skrevet 23. mai 2008 Forfatter Rapporter Del Skrevet 23. mai 2008 ok, men angående SAS, kan jeg slette infekssjoner som ligger på windowsfiler, system32 osv? har hatt problemer med at jeg sletter filer som er viktig for at windows skal klare å kjøre rett før.. Lenke til kommentar
norbat Skrevet 23. mai 2008 Rapporter Del Skrevet 23. mai 2008 Ja, de infeksjonene SAS finner, sletter du. Svært sjelden at disse filene er systemfiler for Windows. Lenke til kommentar
AndersAu Skrevet 23. mai 2008 Forfatter Rapporter Del Skrevet 23. mai 2008 ok, er jobb-PCen til pappa.. så vill ikke gjøre noe galt med den Lenke til kommentar
AndersAu Skrevet 23. mai 2008 Forfatter Rapporter Del Skrevet 23. mai 2008 (endret) har nå kjørt igjennom SAS hadde ca 260 infections, fikk ikke som noe alternativ til å slette de helt, tror de bare ble lagt i karantene. når jeg åpner Combofix får jeg sån advarsel om at 1 av 100 ikke klrer seg gjennom testen, er det trygt å ta den fordi? her er ivertfall den ny hijackthis-loggen: Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 16:30:07, on 23.05.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Norman\Npm\bin\ELOGSVC.EXE C:\Norman\Npm\Bin\Zanda.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Symantec\Norton Ghost 2003\GhostStartService.exe C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\Norman\Npm\bin\NJEEVES.EXE C:\Norman\Nvc\BIN\NVCSCHED.EXE C:\Norman\Nvc\bin\nvcoas.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\AGRSMMSG.exe C:\Programfiler\Apoint2K\Apoint.exe C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE C:\Programfiler\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\WINDOWS\TPPALDR.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe C:\Programfiler\Apoint2K\Apntex.exe C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe C:\Norman\Npm\bin\ZLH.EXE C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Norman\Nvc\BIN\NIP.EXE C:\Norman\Nvc\bin\cclaw.exe C:\Programfiler\Trend Micro\HijackThis\test.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://startsiden.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger R3 - Default URLSearchHook is missing O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Programfiler\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programfiler\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Programfiler\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.start.no O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...992be6d71d48cd1 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Programfiler\AutoCAD 2002\AcDcToday.ocx O16 - DPF: {AC473116-C745-4470-B288-DD9B9CF291DA} (eCStartX.eCStartClass) - http://portal/components/eCStartX.CAB O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Programfiler\AutoCAD 2002\InstBanr.ocx O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Programfiler\AutoCAD 2002\InstFred.ocx O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - http://xbs.sea.mtree.com/mt/dialers/fc/UniDist.CAB O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Programfiler\AutoCAD 2002\AcPreview.ocx O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ntvgs.no O17 - HKLM\Software\..\Telephony: DomainName = ntvgs.no O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ntvgs.no O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE O23 - Service: GhostStartService - Symantec Corporation - C:\Programfiler\Symantec\Norton Ghost 2003\GhostStartService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe Edit: og her er SAS-loggen: Klikk for å se/fjerne innholdet nedenfor SUPERAntiSpyware Scan Loghttp://www.superantispyware.com Generated 05/23/2008 at 03:43 PM Application Version : 4.1.1046 Core Rules Database Version : 3467 Trace Rules Database Version: 1458 Scan type : Complete Scan Total Scan Time : 01:30:44 Memory items scanned : 150 Memory threats detected : 0 Registry items scanned : 6172 Registry threats detected : 203 File items scanned : 23508 File threats detected : 48 Adware.Avenue Media [Lejbk] C:\PROGRAM FILES\SQOF\REZEDW.EXE C:\PROGRAM FILES\SQOF\REZEDW.EXE Trojan.Search Variant HKLM\Software\Classes\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1} HKCR\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1} HKCR\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1} HKCR\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}\InprocServer32 HKCR\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}\InprocServer32#ThreadingModel HKCR\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}\ProgID HKCR\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}\Programmable HKCR\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}\TypeLib HKCR\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}\VersionIndependentProgID C:\PROGRA~1\SEARCH~2\SEARCH~2.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1D7E3B41-23CE-469B-BE1B-A64B877923E1} Adware.IST/YourSiteBar HKLM\Software\Classes\CLSID\{86227D9C-0EFE-4f8a-AA55-30386A3F5686} HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\Implemented Categories HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\InprocServer32 HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\InprocServer32#ThreadingModel HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\ProgID HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\Programmable HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\TypeLib HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\VersionIndependentProgID C:\PROGRA~1\YOURSI~1\YSB.DLL HKLM\Software\Microsoft\Internet Explorer\Toolbar#{86227D9C-0EFE-4f8a-AA55-30386A3F5686} HKCR\Ysb.YsbObj.1 HKCR\Ysb.YsbObj.1\CLSID HKCR\Ysb.YsbObj HKCR\Ysb.YsbObj\CLSID HKCR\Ysb.YsbObj\CurVer HKCR\TypeLib\{86227D9C-0EFE-4f8a-AA55-30386A3F5686} HKLM\Software\YourSiteBar HKLM\Software\YourSiteBar#installTitle HKLM\Software\YourSiteBar#barTitle HKLM\Software\YourSiteBar#serverpath HKLM\Software\YourSiteBar#urlAfterInstall HKLM\Software\YourSiteBar#gUpdate HKLM\Software\YourSiteBar#TBRowMode HKLM\Software\YourSiteBar#yoursitebar.xml HKLM\Software\YourSiteBar#imagemap_normal.bmp HKLM\Software\YourSiteBar#showcorrupted HKLM\Software\YourSiteBar#updatever HKLM\Software\YourSiteBar#refreshscope HKLM\Software\YourSiteBar#allowupdate HKLM\Software\YourSiteBar#LastCheckTime HKLM\Software\YourSiteBar#version.txt HKLM\Software\YourSiteBar#UpdateBegin HKLM\Software\YourSiteBar\Historyfiles HKLM\Software\YourSiteBar\Historyfiles#C:\PROGRA~1\YOURSI~1\yoursitebar.xml HKLM\Software\YourSiteBar\Historyfiles#C:\PROGRA~1\YOURSI~1\imagemap_normal.bmp HKLM\Software\YourSiteBar\Historyfiles#C:\PROGRA~1\YOURSI~1\version.txt HKLM\Software\YourSiteBar\Historysrcbox HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar#DisplayName HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar#UninstallString HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar#Publisher HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar#URLInfoAbout HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar#HelpLink Adware.IST/SideFind HKLM\Software\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} HKCR\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} HKCR\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} HKCR\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\Implemented Categories HKCR\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\Implemented Categories\{00021493-0000-0000-C000-000000000046} HKCR\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} HKCR\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} HKCR\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\InprocServer32 HKCR\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\InprocServer32#ThreadingModel HKCR\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\ProgID HKCR\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\Programmable HKCR\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\TypeLib HKCR\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\VersionIndependentProgID C:\PROGRAMFILER\SIDEFIND\SIDEFIND.DLL HKLM\Software\Classes\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} HKCR\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} HKCR\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} HKCR\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}\InprocServer32 HKCR\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}\InprocServer32#ThreadingModel HKCR\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}\ProgID HKCR\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}\Programmable HKCR\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}\TypeLib HKCR\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}\VersionIndependentProgID C:\PROGRAMFILER\SIDEFIND\SFBHO.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} HKCR\SideFind.Finder HKCR\SideFind.Finder\CLSID HKCR\SideFind.Finder\CurVer HKCR\SideFind.Finder.1 HKCR\SideFind.Finder.1\CLSID HKLM\Software\SideFind HKLM\Software\SideFind#account_id HKLM\Software\SideFind#PathBHO HKLM\Software\SideFind#PathDLL HKLM\Software\SideFind#PathXML HKLM\Software\SideFind#PathEXE HKLM\Software\SideFind#InstallDate HKLM\Software\SideFind#SearchSite HKLM\Software\SideFind#update HKLM\Software\SideFind#ver HKLM\Software\SideFind#IntervalBetweenShows HKLM\Software\SideFind#show HKLM\Software\SideFind#NextShow HKLM\Software\SideFind#NextReaction HKLM\Software\SideFind\History HKLM\Software\SideFind\History#0 HKLM\Software\SideFind\History#1 HKLM\Software\SideFind\History#2 HKLM\Software\SideFind\History#3 HKLM\Software\SideFind\History#4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SideFind HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SideFind#DisplayName HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SideFind#UninstallString C:\Programfiler\SideFind\sfexd001 C:\Programfiler\SideFind\update C:\Programfiler\SideFind BHObj Class BHO HKLM\Software\Classes\CLSID\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} HKCR\CLSID\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} HKCR\CLSID\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} HKCR\CLSID\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}\InprocServer32 HKCR\CLSID\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}\InprocServer32#ThreadingModel HKCR\CLSID\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}\ProgID HKCR\CLSID\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}\Programmable HKCR\CLSID\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}\TypeLib HKCR\CLSID\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}\VersionIndependentProgID C:\WINDOWS\WSEM303.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} Adware.IST/ISTBar (Slotch Bar) HKLM\Software\ISTsvc HKLM\Software\ISTsvc#version HKLM\Software\ISTsvc#app_name HKLM\Software\ISTsvc#popup_url HKLM\Software\ISTsvc#update_url HKLM\Software\ISTsvc#config_url HKLM\Software\ISTsvc#popup_initial_delay HKLM\Software\ISTsvc#popup_count HKLM\Software\ISTsvc#update_count HKLM\Software\ISTsvc#update_version HKLM\Software\ISTsvc#config_count HKLM\Software\ISTsvc#account_id HKLM\Software\ISTsvc#app_date HKLM\Software\ISTsvc#popup_interval HKLM\Software\ISTsvc#popup_last HKLM\Software\ISTsvc#update_interval HKLM\Software\ISTsvc#update_last HKLM\Software\ISTsvc#config_interval HKLM\Software\ISTsvc#config_last HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTsvc HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTsvc#DisplayName HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTsvc#UninstallString HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTsvc#NoModify C:\Programfiler\ISTsvc HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest [ Never ] Adware.Avenue Media/Internet Optimizer HKCR\DyFuCA_BH.BHObj HKCR\DyFuCA_BH.BHObj\CLSID HKCR\DyFuCA_BH.BHObj\CurVer HKCR\DyFuCA_BH.BHObj.1 HKCR\DyFuCA_BH.BHObj.1\CLSID HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer#DisplayIcon HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer#DisplayName HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer#UninstallString HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout#Comment HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout#DComment HKLM\Software\Avenue Media HKLM\Software\Avenue Media\Internet Optimizer HKLM\Software\Avenue Media\Internet Optimizer#TargetDir HKLM\Software\Avenue Media\Internet Optimizer#CLS HKLM\Software\Avenue Media\Internet Optimizer#RID HKLM\Software\Avenue Media\Internet Optimizer#Version HKLM\Software\Avenue Media\Internet Optimizer#TAC HKLM\Software\Avenue Media\Internet Optimizer#ServerVisited HKLM\Software\Avenue Media\Internet Optimizer#UpdateInterval HKLM\Software\Avenue Media\Internet Optimizer#ID HKLM\Software\Avenue Media\Internet Optimizer#InstallT HKLM\Software\Avenue Media\Internet Optimizer#remember[LLT] HKLM\Software\Avenue Media\Internet Optimizer#Conn HKLM\Software\Avenue Media\Internet Optimizer#PendingRemoval HKLM\Software\Avenue Media\Internet Optimizer\Active Alert HKLM\Software\Avenue Media\Internet Optimizer\Active Alert#Version HKLM\Software\Avenue Media\Internet Optimizer\Active Alert#Target HKLM\Software\Avenue Media\Internet Optimizer\Active Alert\cf1 HKLM\Software\Avenue Media\Internet Optimizer\Active Alert\cf1#RawData HKLM\Software\Avenue Media\Internet Optimizer\Active Alert\cf1#Data HKLM\Software\Avenue Media\Internet Optimizer\Active Alert\cf1#DiffAll HKLM\Software\Avenue Media\Internet Optimizer\Active Alert\cf1#TimeStamp HKLM\Software\Avenue Media\Internet Optimizer\Active Alert\cf1#Version HKLM\Software\Avenue Media\Internet Optimizer\Browser Helper HKLM\Software\Avenue Media\Internet Optimizer\Browser Helper\cf1 HKLM\Software\Avenue Media\Internet Optimizer\Browser Helper\cf1#RawData HKLM\Software\Avenue Media\Internet Optimizer\Browser Helper\cf1#Data HKLM\Software\Avenue Media\Internet Optimizer\Browser Helper\cf1#DiffAll HKLM\Software\Avenue Media\Internet Optimizer\Browser Helper\cf1#TimeStamp HKLM\Software\Avenue Media\Internet Optimizer\Browser Helper\cf1#Version HKLM\Software\Avenue Media\Internet Optimizer\WSE HKLM\Software\Avenue Media\Internet Optimizer\WSE#Version HKLM\Software\Avenue Media\Internet Optimizer\WSE#Options HKLM\Software\Avenue Media\Internet Optimizer\WSE#ModuleFileName HKLM\Software\Avenue Media\Internet Optimizer\WSE\cf2 HKLM\Software\Avenue Media\Internet Optimizer\WSE\cf2#RawData HKLM\Software\Avenue Media\Internet Optimizer\WSE\cf2#Data HKLM\Software\Avenue Media\Internet Optimizer\WSE\cf2#DiffAll HKLM\Software\Avenue Media\Internet Optimizer\WSE\cf2#TimeStamp HKLM\Software\Avenue Media\Internet Optimizer\WSE\cf2#Version HKLM\Software\Avenue Media\Internet Optimizer\WSE\cf4 HKLM\Software\Avenue Media\Internet Optimizer\WSE\cf4#RawData HKLM\Software\Avenue Media\Internet Optimizer\WSE\cf4#Data HKLM\Software\Avenue Media\Internet Optimizer\WSE\cf4#DiffAll HKLM\Software\Avenue Media\Internet Optimizer\WSE\cf4#TimeStamp HKLM\Software\Avenue Media\Internet Optimizer\WSE\cf4#Version HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\AMeOpt HKLM\SOFTWARE\Policies\Avenue Media Adware.Tracking Cookie C:\Documents and Settings\oyvind.aukrust\Cookies\oyvind.aukrust@valueclick[1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\oyvind.aukrust@tribalfusion[1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\oyvind.aukrust@mediaplex[1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\oyvind.aukrust@2o7[2].txt C:\Documents and Settings\oyvind.aukrust\Cookies\[email protected][2].txt C:\Documents and Settings\oyvind.aukrust\Cookies\oyvind.aukrust@realmedia[1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\oyvind.aukrust@tradedoubler[1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\oyvind.aukrust@advertising[1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\oyvind.aukrust@imrworldwide[1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\oyvind.aukrust@maxserving[1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\oyvind.aukrust@overture[1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\[email protected][1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\oyvind.aukrust@indextools[2].txt C:\Documents and Settings\oyvind.aukrust\Cookies\[email protected][1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\[email protected][2].txt C:\Documents and Settings\oyvind.aukrust\Cookies\oyvind.aukrust@doubleclick[2].txt C:\Documents and Settings\oyvind.aukrust\Cookies\[email protected][1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\oyvind.aukrust@hitbox[2].txt C:\Documents and Settings\oyvind.aukrust\Cookies\[email protected][1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\[email protected][1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\[email protected][1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\oyvind.aukrust@statcounter[1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\[email protected][1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\oyvind.aukrust@atdmt[1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\[email protected][1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\oyvind.aukrust@adtech[1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\[email protected][1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\[email protected][1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\[email protected][1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\oyvind.aukrust@apmebf[2].txt C:\Documents and Settings\oyvind.aukrust\Cookies\[email protected][1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\[email protected][1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\[email protected][1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\[email protected][1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\oyvind.aukrust@indexstats[1].txt C:\Documents and Settings\oyvind.aukrust\Cookies\[email protected][1].txt statse.webtrendslive.com [ C:\Documents and Settings\oyvind.aukrust.YNVS-PC-ACER-22\Programdata\Mozilla\Firefox\Profiles\vijya4io.default\cookies.txt ] track.adform.net [ C:\Documents and Settings\oyvind.aukrust.YNVS-PC-ACER-22\Programdata\Mozilla\Firefox\Profiles\vijya4io.default\cookies.txt ] track.adform.net [ C:\Documents and Settings\oyvind.aukrust.YNVS-PC-ACER-22\Programdata\Mozilla\Firefox\Profiles\vijya4io.default\cookies.txt ] .doubleclick.net [ C:\Documents and Settings\oyvind.aukrust.YNVS-PC-ACER-22\Programdata\Mozilla\Firefox\Profiles\vijya4io.default\cookies.txt ] .adtech.de [ C:\Documents and Settings\oyvind.aukrust.YNVS-PC-ACER-22\Programdata\Mozilla\Firefox\Profiles\vijya4io.default\cookies.txt ] e2.emediate.se [ C:\Documents and Settings\oyvind.aukrust.YNVS-PC-ACER-22\Programdata\Mozilla\Firefox\Profiles\vijya4io.default\cookies.txt ] e2.emediate.se [ C:\Documents and Settings\oyvind.aukrust.YNVS-PC-ACER-22\Programdata\Mozilla\Firefox\Profiles\vijya4io.default\cookies.txt ] ad.zanox.com [ C:\Documents and Settings\oyvind.aukrust.YNVS-PC-ACER-22\Programdata\Mozilla\Firefox\Profiles\vijya4io.default\cookies.txt ] .telenorstartsiden.112.2o7.net [ C:\Documents and Settings\oyvind.aukrust.YNVS-PC-ACER-22\Programdata\Mozilla\Firefox\Profiles\vijya4io.default\cookies.txt ] C:\Documents and Settings\ynvsadm.NTVGS\Cookies\ynvsadm@adtech[1].txt C:\Documents and Settings\ynvsadm.NTVGS\Cookies\ynvsadm@2o7[1].txt her er combofix-logg Klikk for å se/fjerne innholdet nedenfor ComboFix 08-05-21.3 - oyvind.aukrust 2008-05-23 16:45:57.1 - NTFSx86Running from: C:\Documents and Settings\oyvind.aukrust.YNVS-PC-ACER-22\Skrivebord\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 ))))))))))))))))))))))))))))))) . 2008-05-23 13:50 . 2008-05-23 13:50 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware 2008-05-23 13:50 . 2008-05-23 13:50 <DIR> d-------- C:\Documents and Settings\oyvind.aukrust.YNVS-PC-ACER-22\Programdata\SUPERAntiSpyware.com 2008-05-23 13:50 . 2008-05-23 13:50 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-05-23 13:49 . 2008-05-23 13:49 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-05-23 12:48 . 2008-05-23 16:40 <DIR> dr-h----- C:\Documents and Settings\oyvind.aukrust.YNVS-PC-ACER-22\Siste 2008-05-23 12:12 . 2008-05-23 12:12 <DIR> d-------- C:\Programfiler\CCleaner 2008-05-23 11:56 . 2008-05-23 11:56 <DIR> d-------- C:\Programfiler\Trend Micro 2008-05-11 13:20 . 2008-05-11 13:20 <DIR> d-------- C:\Programfiler\Sun 2008-05-11 13:07 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll 2008-05-11 13:07 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll 2008-05-11 13:07 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui 2008-05-11 12:43 . 2008-05-11 12:45 <DIR> d-------- C:\Programfiler\Windows Live 2008-05-11 12:43 . 2008-05-11 12:44 <DIR> d--hsc--- C:\Programfiler\Fellesfiler\WindowsLiveInstaller 2008-05-11 12:42 . 2008-05-11 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\WLInstaller . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-23 11:36 --------- d-----w C:\Programfiler\Google 2008-05-23 10:39 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-05-11 11:19 --------- d-----w C:\Programfiler\Java 2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll 2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\dllcache\mswstr10.dll 2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll 2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-20 08:11 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys 2008-03-01 16:35 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-02-29 08:58 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-02-29 08:58 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2001-10-05 09:53 21,866 -c--a-w C:\Programfiler\Fellesfiler\tppupd2k.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03 15360] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-06-23 10:34 155648] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-06-23 10:34 114688] "SoundMan"="SOUNDMAN.EXE" [2003-06-20 19:55 55296 C:\WINDOWS\SOUNDMAN.EXE] "AGRSMMSG"="AGRSMMSG.exe" [2003-06-23 10:35 88267 C:\WINDOWS\AGRSMMSG.exe] "Apoint"="C:\Programfiler\Apoint2K\Apoint.exe" [2002-07-25 04:49 151552] "LManager"="C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE" [2003-06-27 17:01 155648] "GhostStartTrayApp"="C:\Programfiler\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-14 15:21 94208] "TPP Auto Loader"="C:\WINDOWS\TPPALDR.EXE" [2001-10-05 11:54 118784] "PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [1999-06-02 11:31 34816] "PE2CKFNT SE"="C:\Programfiler\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 12:51 25088] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "Norman ZANDA"="C:\Norman\Npm\bin\ZLH.exe" [2007-08-09 14:40 183352] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 10:03 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^hp psc 1000 series.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\hp psc 1000 series.lnk backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Photo Express Calendar Checker SE.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Photo Express Calendar Checker SE.lnk backup=C:\WINDOWS\pss\Photo Express Calendar Checker SE.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^WinZip Quick Pick.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\WinZip Quick Pick.lnk backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] C:\Programfiler\MSN Messenger\msnmsgr.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= R1 GhPciScan;GhostPciScanner;C:\Programfiler\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 15:11] R2 eugss;EUTRON SmartKey GSS2 Driver;C:\WINDOWS\system32\Drivers\eugssxp.sys [2005-06-14 10:45] R2 KeyP;KeyP;C:\WINDOWS\system32\DRIVERS\KeyP.sys [1995-11-07 08:00] R2 Ndiskio;Ndiskio;C:\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 10:55] R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-02-11 15:56] R3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe [2007-12-12 12:45] R3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE [2007-05-23 13:23] S3 efipsk;efipsk;C:\DOCUME~1\OYVIND~1.YNV\LOKALE~1\Temp\efipsk.sys [] S3 eusk3usb;SmartKey 3 USB;C:\WINDOWS\system32\Drivers\eusk3usb.sys [2005-06-14 10:45] S3 nvcfsr;nvcfsr;C:\Norman\Nvc\bin\nvcfsr.sys [2007-01-09 15:25] S3 nvcoafl51;nvcoafl51;C:\Norman\Nvc\bin\nvcoafl51.sys [2007-01-09 15:25] S3 nvcoaft51;nvcoaft51;C:\Norman\Nvc\bin\nvcoaft51.sys [2007-01-09 15:25] S3 nvcoarc51;nvcoarc51;C:\Norman\Nvc\bin\nvcoarc51.sys [2007-01-09 15:25] S3 TPP300;USB Storage Adapter V3 (TPP);C:\WINDOWS\system32\DRIVERS\TPP300.SYS [2001-10-05 11:54] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73925f44-717e-11dc-9a61-000423707175}] \Shell\AutoRun\command - F:\Installer.exe *Newly Created Service* - CATCHME . Contents of the 'Scheduled Tasks' folder "2005-02-04 22:37:15 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1097530549.job" - C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-23 16:53:16 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-05-23 16:58:05 ComboFix-quarantined-files.txt 2008-05-23 14:57:47 Pre-Run: 11,762,442,240 byte ledig Post-Run: 12,333,379,584 byte ledig 123 --- E O F --- 2008-05-17 15:01:37 Endret 23. mai 2008 av AndersAu Lenke til kommentar
norbat Skrevet 23. mai 2008 Rapporter Del Skrevet 23. mai 2008 Ja, combofix er trygt. Kunne du også ha postet SAS-loggen (åpne programmet, velg Preferences->statistics/logs) Lenke til kommentar
AndersAu Skrevet 23. mai 2008 Forfatter Rapporter Del Skrevet 23. mai 2008 da er alle logger i innlegget over Lenke til kommentar
norbat Skrevet 23. mai 2008 Rapporter Del Skrevet 23. mai 2008 Fint, Da poster du til slutt en ny hjt-logg. Lenke til kommentar
AndersAu Skrevet 23. mai 2008 Forfatter Rapporter Del Skrevet 23. mai 2008 (endret) Ny Hjt Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 17:31:50, on 23.05.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Norman\Npm\bin\ELOGSVC.EXE C:\Norman\Npm\Bin\Zanda.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Symantec\Norton Ghost 2003\GhostStartService.exe C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\Norman\Npm\bin\NJEEVES.EXE C:\Norman\Nvc\BIN\NVCSCHED.EXE C:\Norman\Nvc\bin\nvcoas.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\AGRSMMSG.exe C:\Programfiler\Apoint2K\Apoint.exe C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE C:\Programfiler\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\WINDOWS\TPPALDR.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe C:\Norman\Npm\bin\ZLH.EXE C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programfiler\Apoint2K\Apntex.exe C:\Norman\Nvc\BIN\NIP.EXE C:\Norman\Nvc\bin\cclaw.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\wuauclt.exe C:\Programfiler\Trend Micro\HijackThis\test.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://startsiden.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Programfiler\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programfiler\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Programfiler\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.start.no O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...992be6d71d48cd1 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Programfiler\AutoCAD 2002\AcDcToday.ocx O16 - DPF: {AC473116-C745-4470-B288-DD9B9CF291DA} (eCStartX.eCStartClass) - http://portal/components/eCStartX.CAB O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Programfiler\AutoCAD 2002\InstBanr.ocx O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Programfiler\AutoCAD 2002\InstFred.ocx O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - http://xbs.sea.mtree.com/mt/dialers/fc/UniDist.CAB O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Programfiler\AutoCAD 2002\AcPreview.ocx O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ntvgs.no O17 - HKLM\Software\..\Telephony: DomainName = ntvgs.no O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ntvgs.no O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE O23 - Service: GhostStartService - Symantec Corporation - C:\Programfiler\Symantec\Norton Ghost 2003\GhostStartService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe -- End of file - 7885 bytes Endret 23. mai 2008 av AndersAu Lenke til kommentar
norbat Skrevet 23. mai 2008 Rapporter Del Skrevet 23. mai 2008 Start hjt, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix checked: O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\System32\shdocvw.dll O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...992be6d71d48cd1 O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - http://xbs.sea.mtree.com/mt/dialers/fc/UniDist.CAB Restart PC-en Post ny hjt-logg og fortell hvordan PC-en kjører Lenke til kommentar
AndersAu Skrevet 23. mai 2008 Forfatter Rapporter Del Skrevet 23. mai 2008 skal pcen kjøre i sikkerhetsmodus? Lenke til kommentar
AndersAu Skrevet 23. mai 2008 Forfatter Rapporter Del Skrevet 23. mai 2008 (endret) den tenker fortsatt veldig mye i starten, men den går bedre når den først har fått startet opp? Kanskje det har noe med at Norman viruskontroll fant 4 virus, deriblant trojanere osv. det sto at de ikke kunne settes i karantene. Hva kan jeg gjøre med dem? Det er også en annen bruker på denne PCen, må jeg da også fjerne spyware fra den? Endret 23. mai 2008 av AndersAu Lenke til kommentar
norbat Skrevet 23. mai 2008 Rapporter Del Skrevet 23. mai 2008 SAS scanner alle brukere på PC-en, så du trenger ikke å logge inn på hver bruker for å fjerne spyware. Hvis Norman melder om trojanere nå, kunne du ha nevnt hvor disse trojaneren ligger? PC-en skal ikke være i sikker modus når du kjører disse scannene. Lenke til kommentar
AndersAu Skrevet 23. mai 2008 Forfatter Rapporter Del Skrevet 23. mai 2008 1) Diagnose: "Reklame: WebRebates.AP" Plassering: "C:\Programfiler\Web_Rebates\Sy1150\Html\scri1150a.htm" 2) Diagnose: "Trojaner: Malware.CMJR" Plassering: "C:\temp\SearchRelevancy.exe" jeg satte begge i karantene.. Lenke til kommentar
norbat Skrevet 23. mai 2008 Rapporter Del Skrevet 23. mai 2008 Kjør CCleaner igjen. Husk å sette innstillingene slik også nyere temp-filer blir fjernet. Kjør combofix igjen, så tar vi en siste titt på om det ligger noe rusk igjen. Lenke til kommentar
AndersAu Skrevet 23. mai 2008 Forfatter Rapporter Del Skrevet 23. mai 2008 (endret) har kjørt ccleaner, her er loggen fra combofix Klikk for å se/fjerne innholdet nedenfor ComboFix 08-05-21.3 - oyvind.aukrust 2008-05-23 22:19:33.2 - NTFSx86Running from: C:\Documents and Settings\oyvind.aukrust.YNVS-PC-ACER-22\Skrivebord\ComboFix.exe * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 ))))))))))))))))))))))))))))))) . 2008-05-23 22:16 . 2008-05-23 22:16 <DIR> dr-h----- C:\Documents and Settings\oyvind.aukrust.YNVS-PC-ACER-22\Siste 2008-05-23 19:12 . 2008-05-23 19:21 <DIR> d-------- C:\Documents and Settings\oyvind.aukrust.YNVS-PC-ACER-22\Programdata\wsInspector 2008-05-23 19:02 . 2008-05-23 19:03 <DIR> d-------- C:\Programfiler\Startup Inspector for Windows 2008-05-23 13:50 . 2008-05-23 13:50 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware 2008-05-23 13:50 . 2008-05-23 13:50 <DIR> d-------- C:\Documents and Settings\oyvind.aukrust.YNVS-PC-ACER-22\Programdata\SUPERAntiSpyware.com 2008-05-23 13:50 . 2008-05-23 13:50 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-05-23 13:49 . 2008-05-23 13:49 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-05-23 12:12 . 2008-05-23 12:12 <DIR> d-------- C:\Programfiler\CCleaner 2008-05-23 11:56 . 2008-05-23 11:56 <DIR> d-------- C:\Programfiler\Trend Micro 2008-05-11 13:20 . 2008-05-11 13:20 <DIR> d-------- C:\Programfiler\Sun 2008-05-11 13:07 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll 2008-05-11 13:07 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll 2008-05-11 13:07 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui 2008-05-11 12:43 . 2008-05-11 12:45 <DIR> d-------- C:\Programfiler\Windows Live 2008-05-11 12:43 . 2008-05-11 12:44 <DIR> d--hsc--- C:\Programfiler\Fellesfiler\WindowsLiveInstaller 2008-05-11 12:42 . 2008-05-11 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\WLInstaller . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-23 15:25 --------- d-----w C:\Programfiler\Fellesfiler\Autodesk Shared 2008-05-23 15:25 --------- d-----w C:\Programfiler\AutoCAD 2002 2008-05-23 11:36 --------- d-----w C:\Programfiler\Google 2008-05-23 10:39 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-05-11 11:19 --------- d-----w C:\Programfiler\Java 2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll 2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\dllcache\mswstr10.dll 2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-25 04:51 166,688 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll 2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-20 08:11 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys 2008-03-01 16:35 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-02-29 08:58 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-02-29 08:58 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2001-10-05 09:53 21,866 -c--a-w C:\Programfiler\Fellesfiler\tppupd2k.dll . ((((((((((((((((((((((((((((( snapshot@2008-05-23_16.57.27,48 ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-23 13:57:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-23 20:05:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2001-05-21 23:00:00 22,016 --s-a-w C:\WINDOWS\system32\borlndmm.dll + 2004-07-10 16:55:38 252,416 ----a-w C:\WINDOWS\system32\wsiShared.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [] "AGRSMMSG"="AGRSMMSG.exe" [2003-06-23 10:35 88267 C:\WINDOWS\AGRSMMSG.exe] "Apoint"="C:\Programfiler\Apoint2K\Apoint.exe" [2002-07-25 04:49 151552] "GhostStartTrayApp"="C:\Programfiler\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-14 15:21 94208] "TPP Auto Loader"="C:\WINDOWS\TPPALDR.EXE" [2001-10-05 11:54 118784] "PE2CKFNT SE"="C:\Programfiler\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 12:51 25088] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "Norman ZANDA"="C:\Norman\Npm\bin\ZLH.exe" [2007-08-09 14:40 183352] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 10:03 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^hp psc 1000 series.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\hp psc 1000 series.lnk backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Photo Express Calendar Checker SE.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Photo Express Calendar Checker SE.lnk backup=C:\WINDOWS\pss\Photo Express Calendar Checker SE.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^WinZip Quick Pick.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\WinZip Quick Pick.lnk backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] C:\Programfiler\MSN Messenger\msnmsgr.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= R1 GhPciScan;GhostPciScanner;C:\Programfiler\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 15:11] R2 eugss;EUTRON SmartKey GSS2 Driver;C:\WINDOWS\system32\Drivers\eugssxp.sys [2005-06-14 10:45] R2 KeyP;KeyP;C:\WINDOWS\system32\DRIVERS\KeyP.sys [1995-11-07 08:00] R2 Ndiskio;Ndiskio;C:\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 10:55] R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-02-11 15:56] R3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe [2007-12-12 12:45] R3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE [2007-05-23 13:23] S3 efipsk;efipsk;C:\DOCUME~1\OYVIND~1.YNV\LOKALE~1\Temp\efipsk.sys [] S3 eusk3usb;SmartKey 3 USB;C:\WINDOWS\system32\Drivers\eusk3usb.sys [2005-06-14 10:45] S3 nvcfsr;nvcfsr;C:\Norman\Nvc\bin\nvcfsr.sys [2007-01-09 15:25] S3 nvcoafl51;nvcoafl51;C:\Norman\Nvc\bin\nvcoafl51.sys [2007-01-09 15:25] S3 nvcoaft51;nvcoaft51;C:\Norman\Nvc\bin\nvcoaft51.sys [2007-01-09 15:25] S3 nvcoarc51;nvcoarc51;C:\Norman\Nvc\bin\nvcoarc51.sys [2007-01-09 15:25] S3 TPP300;USB Storage Adapter V3 (TPP);C:\WINDOWS\system32\DRIVERS\TPP300.SYS [2001-10-05 11:54] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73925f44-717e-11dc-9a61-000423707175}] \Shell\AutoRun\command - F:\Installer.exe . Contents of the 'Scheduled Tasks' folder "2005-02-04 22:37:15 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1097530549.job" - C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-23 22:24:03 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-05-23 22:27:59 ComboFix-quarantined-files.txt 2008-05-23 20:27:43 ComboFix2.txt 2008-05-23 14:58:07 Pre-Run: 14,173,118,464 byte ledig Post-Run: 14,159,982,592 byte ledig 127 --- E O F --- 2008-05-17 15:01:37 Endret 23. mai 2008 av AndersAu Lenke til kommentar
norbat Skrevet 23. mai 2008 Rapporter Del Skrevet 23. mai 2008 Ikke noe malware å se i den loggen. Du kunne se om du kan slette mappa: C:\Programfiler\Web_Rebates, om den finnes. Temp-mappa (c:/temp) burde bli tømt vha. ccleaner. Lenke til kommentar
AndersAu Skrevet 23. mai 2008 Forfatter Rapporter Del Skrevet 23. mai 2008 (endret) ja, jeg fikk sletta Web_Rebates, og temp-mappa var tom.. restarta PCen og den starta like fort som om den skulle være ny Tusen takk for hjelpen norbat! ok, tok vist seiern litt på forskudd.. den restarta ganske fort i sta men når jeg skrudde av dataen å skrudde den på igjen, 5 min senere.. var den like treg igjen. brukte over 3 min fra desktopen kom fram til det gikk an å bruke den... men virker som all virus og spyware er borte, og jeg har tatt vekk all unødvendige oppstartsprogrammer. så kanskje det er en defragmentering som skal til? Endret 23. mai 2008 av AndersAu Lenke til kommentar
norbat Skrevet 24. mai 2008 Rapporter Del Skrevet 24. mai 2008 Du kan forsøke en defragmentering. Du kan også oppdatere SAS og kjøre en quick scan. Hvis den finner noe, sørg for at det er avmerket for sletting. Kjør også register-rensen i CCleaner. Kjør flere ganger til det ikke finner flere feil. Du blir spurt om å ta backup før du kjører denne rensen. Det sier du ja til. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå